cluster/simulacrum/nowhere: make optional

This commit is contained in:
Max Headroom 2024-08-13 21:24:13 +02:00
parent d784ee0a86
commit c0d21f6b86
2 changed files with 38 additions and 35 deletions

View file

@ -58,44 +58,46 @@ in
imports = [
./options.nix
];
defaults = {
networking.hosts."${getNodeAddr "nowhere"}" = lib.attrNames config.nowhere.names;
security.pki.certificateFiles = [
"${ca}/ca.pem"
];
};
nowhere.certs = {
inherit ca;
intermediate = genCert [ "--config=${cfsslConfigIntermediateCA}" "--profile=intermediate" ] {
CN = "Simulacrum Intermediate CA";
config = lib.mkIf config.nowhere.enable {
defaults = {
networking.hosts."${getNodeAddr "nowhere"}" = lib.attrNames config.nowhere.names;
security.pki.certificateFiles = [
"${ca}/ca.pem"
];
};
};
nodes.nowhere = { config, depot, ... }: {
networking = {
firewall.allowedTCPPorts = [ 443 ];
interfaces.eth1.ipv4.routes = lib.mapAttrsToList (name: hour: {
address = hour.interfaces.primary.addrPublic;
prefixLength = 32;
via = getNodeAddr name;
}) depot.gods.fromLight;
nameservers = map (name: depot.hours.${name}.interfaces.primary.addrPublic) cluster.config.services.dns.nodes.authoritative;
nowhere.certs = {
inherit ca;
intermediate = genCert [ "--config=${cfsslConfigIntermediateCA}" "--profile=intermediate" ] {
CN = "Simulacrum Intermediate CA";
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = lib.mapAttrs (name: link: let
cert = genHostCert name;
in {
forceSSL = true;
sslCertificate = "${cert}/cert.pem";
sslCertificateKey = "${cert}/cert-key.pem";
locations."/" = {
proxyPass = config.links.${link}.url;
extraConfig = "proxy_ssl_verify off;";
};
}) lift.nowhere.names;
nodes.nowhere = { config, depot, ... }: {
networking = {
firewall.allowedTCPPorts = [ 443 ];
interfaces.eth1.ipv4.routes = lib.mapAttrsToList (name: hour: {
address = hour.interfaces.primary.addrPublic;
prefixLength = 32;
via = getNodeAddr name;
}) depot.gods.fromLight;
nameservers = map (name: depot.hours.${name}.interfaces.primary.addrPublic) cluster.config.services.dns.nodes.authoritative;
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = lib.mapAttrs (name: link: let
cert = genHostCert name;
in {
forceSSL = true;
sslCertificate = "${cert}/cert.pem";
sslCertificateKey = "${cert}/cert-key.pem";
locations."/" = {
proxyPass = config.links.${link}.url;
extraConfig = "proxy_ssl_verify off;";
};
}) lift.nowhere.names;
};
};
};
}

View file

@ -2,6 +2,7 @@
{
options.nowhere = {
enable = lib.mkEnableOption "Nowhere";
names = lib.mkOption {
description = "Hostnames that point Nowhere.";
type = with lib.types; attrsOf str;